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Session types have been proposed as a means of statically verifying implementations of communi- 
cation protocols. Although prior work has been successful in verifying some classes of protocols, it 
does not cope well with parameterized, multi-actor scenarios with inherent asynchrony. For example, 
the sliding window protocol is inexpressible in previously proposed session type systems. This paper 
describes System- A, a new typing language which overcomes many of the expressiveness limitations 
of prior work. System-A explicitly supports asynchrony and parallelism, as well as multiple forms 
of parameterization. We define System-A and show how it can be used for the static verification of a 
large class of asynchronous communication protocols. 



1 Introduction 

Session types [27] are a means of expressing the order of messages sent by actors [lj (or processes). In 
particular, session types can be used to statically check if a group of processes communicate according 
to a given specification. In these systems, a global type specifies the permissible sequences of messages 
that participants may exchange in a given session, as well as the types of these messages. The typing re- 
quires the programmer to provide the global type. A projection algorithm then generates the restrictions 
implied by the global type for each participant. Such restrictions are called end-point types or local types 
and describe the expected behavior of individual participants in the protocol. The actual program code 
implementing the participant behavior is checked for conformance against this localized behavior speci- 
fication. We are interested in generalizing prior work on session types to typing coordination constraints 
on actors, which can then be enforced e.g. with Synchronizers lfl9l l20l [P71 or other ways [30]. 

This requires addressing two limitations of previous work. First, session types do not (directly) 
support asynchronous events; asynchronous communication leads to delays which require considering 
arbitrary shuffles. Second, we wish to consider parameterized protocols. For example, consider two 
actors communicating through a sliding window protocol: the actors agree on the length of the window 
(i.e., the number of messages that may be buffered) and then proceed to an exchange of concurrent 
messages. Prior work on session types is not suitable for typing protocols like this: the reason for this 
deficiency is the fact that their respective type languages depend on other formalisms for type checking 
(such as typed A -calculus Q or System T ||25ll ) and these formalisms do not support a parallel construct. 



Contributions. We overcome many of these shortcomings by developing System-A, a new system for 
expressing types for multi-party interaction that does not depend on other formalisms for type check- 
ing. The main contributions are (a) parameterized constructs for expressing asynchrony, parallelism, 
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sequence and choice (Section 4), (b) a projection mechanism to provide type constraints on individual 
actors ( |Section 5] ), (c) the conditions under which conformance of the latter with the global type is assured 
(Sections [7] [8} and finally (d) we show that structural equivalence of types is decidable in System-A, by 
proving strong normalization of our local types ( Section 6| ). Proofs of our theorems are included in the 
long version of this paper lfT3l . 



Limitations. Using the strong normalization result, we can decide whether the local behavior of an 
actor follows the protocol. However, this result relies on a type inference mechanism for the actor's 
behavior (of the sort in Alur et al. 0). We do not describe such a type inference mechanism in this 
article. Moreover, we omit support for session delegation. Finally, our realizability results rely on 
structural criteria and are hence conservative rather than precise JI). 



2 Related Work 



Session types 11271 l39l l36l 1261 originate from the context of 7T-calculi as statically derivable descriptions 
of process interaction behaviors. In two-party sessions, they allow us to statically verify that the partici- 
pants have compatible behavior by requiring dual session types, that is, behaviors where each participant 
expects precisely the message sequence that the other participant sends and vice versa. Extensions to 
session types support asynchronous message passing [32] and introduce subtyping ETl for a looser 
notion of type compatibility. Session types have been integrated into functional ll37l l35ll and object- 
oriented |[T6l |29l |23l languages among others, with a wide range of applications including deadlock and 
livelock detection [24]. Other extensions deal with evolving system specifications using transforma- 
tions [18]. Exception handling, which allows the participants of a protocol to escape the normal flow of 
control and coordinate on another, has been considered in ifTTl ITOll . The present article combines three 
enhancements to session types that majorly extend their applicability: concurrent multi-party sessions, 
parameterized session types, and an enhanced syntax. 



Asynchronous Multi-Party Sessions. Many real-world protocols involve more than two participants, 
which makes their description in terms of multiple two-party sessions unnatural. To overcome this limi- 
tation, Honda et al. [28 ] extend session types to support multiple participants: a global type specifies the 
interactions between all participants from a global perspective. A projection algorithm then mechanically 
derives the behavior specification of the individual participants, that is, the local type. 

The notion of global type and the associated correctness requirements for projection were first studied 
by Carbone et al. 0; Bonelli's work on multi-point session types [7] treats multi-party protocols from 
the local perspective only. Bettini et al. allow multi-party sessions to interleave and derive a type 
system guaranteeing global progress. Gay et al. IT221 consider subtyping in presence of asynchrony. 

The present article builds on the foundation of a global protocol specification and its projection onto 
local behaviors IT281 . However, we do not address the question of local type safety and inference of 
actual programs, which is a major part of Honda et al.'s work. Furthermore, unlike their approach (but 
following Castagna et al. |[T2l ). we simplify the notation for global types by replacing recursion with the 
Kleene star and limiting each pair of participants to use a single channel. We introduce an explicit shuffle 
operator to preserve the commutativity of message arrivals that can be achieved using multiple channels. 
Explicit shuffles also reduce the need for a special subtyping relationship that allows the permutation of 
(Lamport-style) concurrent asynchronous events for optimization 0T1 . 
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Following Castagna's global type syntax further, we support join operations. Joins cannot be ex- 
pressed in Honda et al.'s global types because of the linearity requirement. However, as Denielou re- 
marks |PT51 , join operations can only describe series-parallel graphs. Protocols such as the alternating 
bit protocol that require interleaved synchronization between two processes consequently cannot be ex- 
pressed in our global type language. Our choice to not support generic graph structures as global types is 
founded on the desire to support parameterization and, at the same time, keep the language understand- 
able; it remains unclear to us how to visualize parameterized graphs in an intuitive fashion. 



Parameterized Session Types. Our major extension of global types over Honda et al. and Castagna 
et al.'s work is the introduction of parameters. The starting point for our parameterization of session 
types is the work of Yoshida et al. ||38ll and Bejleri [5]. Yoshida et al. augment the global types of Bettini 
et al. I0 with primitive recursive combinators to obtain dependent types that support the parameterization 
of the repetition count and the connection topology. This allows, for example, using a single global type 
for a highly participant-count dependent butterfly network. Static verifiability — without instantiating 
the type parameters — is maintained by projecting onto parameterized local types that allow syntactic 
comparisons. In lfl4l . Denielou et al. achieve parameterization by means of quantification over behavior 
specifications they call roles. Like Bettini et al. and unlike System-A, neither Denielou et al. nor Yoshida 
et al. support arbitrary, concurrency-induced shuffles in their global and local types. While Bettini et al. 
regain parallel composition through the interleaving of global types, it is unclear how the results transfer 
to the other two approaches. 



Modeling of Multi-Party Protocols. Formalisms for describing multi-party communication protocols 
have been studied in the context of designing distributed systems and cryptographic protocols. As mod- 
eling tools, the formalisms provide ways to check a protocol for desired properties 1)401 . or to synthesize 
such protocols [34]. In contrast to session types, the formalisms lack ways to statically verify the compli- 
ance of an actual protocol implementation against the specification. Denielou and Yoshida |[T5l discuss 
session types and their relation to work on distributed systems or cryptographic protocols in greater 
depth. 



3 Motivation 

Formalisms introduced in previous work are not expressive enough to define the types of some interesting 
protocols such as the sliding window protocol, a locking-unlocking protocol, and a case of limited 
resource sharing. In this section, we demonstrate how the behavior of these protocols can be described 
in System-A. 



The Sliding Window Protocol. Assume an actor a sends messages of type m to an actor b, which 
acknowledges every received message with an ack message. The protocol determines that at most n 
messages can be unacknowledged at any given time, so that a ceases sending until it receives another ack 
message. In this example, the window size n is a parameter, which means we need a way to express the 
fact that n sending-acknowledging events can be in transit at any given instant in time. Following is the 
global type of the protocol. 
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a b denotes that a sends a message of type «i to b. Operator ; is used for sequencing interactions. || 
is used for composing its left and right arguments in parallel. The Kleene star has the usual semantics 
and takes precedence over ||. 

The above type can be expressed using the notation of Castagna et al. [ 12 ], albeit with a fixed window 
size n. In System-A on the other hand, we can parameterize the type in n and statically verify that 

n 

participants follow the protocol without knowing its value at runtime. Using || to denote the parallel 

i=\ 

composition of n processes, we obtain the following type in our notation: 



m , , ack 

a — > b ; b — > a 



Locking / Unlocking. Consider a set of n processes, each of which needs to acquire exclusive access 
to a resource by sending it a lock message. The resource replies with ack, the process uses the resource 
and unlocks it by sending an unlock message, at which point the next process can do the same, and so 
on. The following type describes the locking-unlocking protocol for a fixed number of processes. 

/ lock ack unlock \ _ _ / lock ack unlock \ 

(c\ — > s ; s — > c\ ; c\ — > s) . . . (c n — > s ; s — > c„ ; c n — > s) 

With denoting shuffling, this formula expresses that any ordering of the (c,- —> s ; s ; c ; - "^f^. s } 

events is acceptable. To support a dynamic network topology, the number of participants should be a 
parameter. The following is the locking-unlocking example in System-A, where conformance to the 
protocol is statically verifiable without knowledge of the runtime value of n. 

n 

i lock ack unlock «. 

Qxp(c; — > s ; s — > a ; C; — > s) 
(=1 

Limited Resource Sharing. In this scenario, a server s grants two clients c\ and C2 exclusive access 
to a set of n resources. At any given point, a maximum of n resources can be locked, but the relevant 
lock-ack-unlock messages from both clients can be interleaved in any way. Following is the global type 
for this situation: 

fj / loch ack; unlock, lockj ack unlockj 

| I c\ —4- s ; s — f c\ ; c\ — > s © C2 — > s ; s — > cj ; C2 — > s 

!=1 ^ 

The parallel composition is parameterized in n, the number of resources. Each sequence of lock-ack- 
unlock messages is also parameterized in i, which ranges from 1 to n. This is necessary to ensure 
realizability of the protocol, as in the case of multiple outstanding requests, it allows the participants to 

n 

disambiguate the responses they receive. Each parallel instance subsumed by the || operator consists of 

i=l 

a loop (Kleene Star) which entails a choice, indicated by ©. Either c\ gets access to a resource, or C2 and 
this happens repeatedly. 



4 Type Syntax 



4.1 Global Types 



A global type describes a protocol which the whole system must adhere to. The examples in Section 3 
are all global types, since they describe the behavior of all participants. Global types in System-A can be 



constructed according to the grammar in Table 1 with operator descriptions following. 
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Table 1: The grammar of global types 



Sf::= (&) 


(G-Paren) 


£ 


(G-Empty) 


\ Sf 


(G-Seq) 


©Sf; 
i=i 


(G-Seq-N) 


| sf e sf 


(G-Choice) 


i=i 


(G-Choice-N) 


| sf || sf 


(G-Parallel) 


II $ 
i=l 


(G-Parallel-N) 


| sf ® Sf 


(G-Shuffle) 


1=1 
Sf" 

Sf* 


(G-Shuffle-N) 


1 Pi >P2 


(G-Interaction) 


(G-Exp) 
(G-KleeneStar) 



(G-Seq) is used for the sequential composition of events. 

(G-Choice) denotes exclusive choice between the arguments. For instance, Sfi © Sf 2 means that either 
Sfi or Sf 2 will be executed (but not both). 

(G-Parallel) means that the arguments run in parallel; any interleaving of sequenced actions is possible. 
For instance, (a b ; a c) \\ c b means that any of the interleavings ABC, ACB, CAB 
is possible, where A = (a b), B = (a c) and C = (c — ^ b). Notice that B is not allowed to 
precede A, as the ordering of actions as determined by operator ; is not allowed to change. 

(G-Shuffle) means that both arguments are executed atomically, in an unspecified order. Formally, 

S^ <g> Sf 2 =(Sfi ;Sf 2 ) © (Sf 2 ;Sfi). 

(G-Interaction) denotes the sending and receiving of a message. For instance, p\ — p 2 means that 
process p\ sends a message of type t to process p 2 . 

(G-KleeneStar) has the usual semantics, of zero or more repetitions of the argument. 

The «-ary versions of the operators express behaviors where the value of n is unknown at com- 
pile time. (G-Seq-N), (G-Choice-N), (G-Parallel-N), (G-Shuffle-N) apply the respective binary operator 
n — 1 times to n global types, parameterized in i. (G-Exp) denotes «-fold repetition of the argument (in 



sequence). Note that for known values of n, we do not need the right column of Table 1 as the desired 
behavior can be produced by suitable repeated applications of the binary operators. 

All of the operators are commutative, with the exception of sequencing. All operators are furthermore 
associative, with the exception of shuffling. In particular, 

(g)Sf;^(...(Sfi ® $0 8) Sf 3 ...) 8) ... © Sf„). 
i=i 

n 

Instead, 0S^- means that all arguments Sf; are executed atomically, but in an unspecified order. 

i=i 

The distinction between the Kleene star and exponentiation is fundamental. The use of Sf " means 
that the protocol conformance checker will have to prove that the system is correct for any fixed value 
of the parameter n. Sf * on the other hand means an arbitrary number of repetitions of Sf . There is no 
parameter fixing this number and it may be different from instance to instance of the Kleene Star and/or 
among executions of the same program with the same run-time values for its parameters. 
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4.2 Local Types 

A local type specifies the abstract behavior of a single protocol participant. The syntax of local types is 
given in Table 2| with descriptions following. 



Table 2: The grammar of local types 





(L-Paren) 


alt 


(L-Send) 


££\££ 


(L-Seq) 


% J8f 


(L-Choice) 


JSf || JSf 


(L-Parallel) 


JSf ® JSf 


(L-Shuffle) 




(L-Exp) 



e 


(L-Empty) 


a?? 


(L-Recv) 


n 
i=l 


(L-Seq-N) 




(L-Choice-N) 


« 

II -25- 

1=1 


(L-Parallel-N) 


i=l 


(L-Shuffle-N) 


(L-KleeneStar) 



(L-Seq), (L-Choice), (L-Parallel), (L-Shuffle), (L-Exp), (L-KleeneStar) are defined as in the case of 



global types ( Section 4. 1 1 



With (L-Parallel) being defined as in the global case, the local type (alt ; a\u) \\ alv again allows 
three orderings of the events T = alt, U = a\u, and V = alv: TUV, TVU, and VTU. As above, 
the specification alt ; alu enforces that T happens before U. 

(L-Send) denotes sending a message of type t to process a. 

(L-Recv) denotes receiving a message of type t from process a. 



In the sliding window example of Section 3| the behavior of the sender a is described by the local type 



|| [blm ; &?ack)*. Leaving out the initial || symbol for the time being, what remains is [blm ; Z??ack)*. 
i=i " /=i 

This means sending a message and then receiving an acknowledgment (blm ; ft?ack), an arbitrary number 
of times. Assuming that the window size n is a parameter, any interleaving of n of these sequences 
is possible, with the obvious constraint of not receiving more acknowledgments than the number of 
messages sent. This is ensured by composing sequences of the form (blm ; &?ack), where ordering is 
forced by the ; operator. 



5 Projection 



The local type of the sliding window protocol in Section 4.2 is a restriction of the respective global 



type in Section 3 onto the individual processes. In this section, we investigate a way of automating this 
process. <£ > p is read "the projection of global type <$ onto process p" and the result is a local type as 



defined in |Table 2| The projection function > is formally defined in |Table 3] and the result of applying 
it to all the processes in the system is an environment A = {/?, : J^},e/ which maps processes to local 
types. 
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Table 3: The projection function 



/ m i \ 

(a — > b) > p ::= 



b\m if p = a 
aim if p = b 
e otherwise 



(P-Interaction) 





> p :: 


= (Sf 


> pf 




(P-Exp) 


f\ © sf 2 ) 


> p :: 


= (Sft 


> p) © 


(#2 > p) 


(P-Choice) 


% II 


> p :: 


= (Sft 


> P) II ( 


Sfc > P) 


(P-Paral) 


(^i ;$0 


> p :: 


= (S* 


> p) ; 


#2 > p) 


(P-Seq) 




> :: 


= (#1 


> p) © 


(#2 > P) 


(P-Shuffte) 


(Is*) 

i=l 


> p :: 


n 

= ©( 
(=1 


% > p) 




(P-Seq-N) 


i=l 


> p :: 


n 

= 0( 

i=i 


$ > p) 




(P-Choice-N) 


1=1 


> p :: 


n 

= <8>( 

(=1 


$ > P) 




(P-Shuffte-N) 


ft 

( II 

i=l 


> p :: 


n 

= II ( 

i=l 


% > p) 




(P-Paral-N) 



For the lock/unlock example of Section 3 projecting onto a client c* and the server s yields 

n 

lock ack 



/CX i lock ack unlock \ 

> c K = Q9(c ; - — > s ; s — > a ; c t — > s > 
(=1 

= ® (sllock ; s?ac& ; slunlock) 

i^k 

= sllock ; s?ac& ; slunlock, 

n 

lock ack unlock 



o, / (octc c/c/c unlock \ 

Q9(c ; — )• s ; 5 — > a ; c,- — >• s>j) 

;=i 
n 

^^{cp.lock ; Cjlack ; cftunlock) . 



(P-Shuffle-N) 
(P-Interaction), (P-Seq) 

(eliminating e) 
(P-Shuffle-N) 

(P-Interaction), (P-Seq) 



(=i 



Similarly, the projected local types for the resource sharing protocol of Section 3 



are 



££ s = || {c\llockj ; c\\acki ; c\lunlocki © C2 } -lock[ ; c%\acki ; C2 } .unlocki) 



i=\ 



J£ C i = II (sllockj ; slackj ; slunlocki)* 



i=\ 



S£ Cl = || (sllocki ; slacks ; slunlockj)* . 



i=\ 
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6 Type Checking 

Given a global type, we need to be able to check the respective projections against the local types inferred 
from the program itself. This is possible due to the following properties of our language of local types: 

Theorem 1 (Weak Normalization). For any local type ££ in System-A, there exists a finite sequence of 
reduction steps which brings the type to a normal form. 

We prove this in the extended version of this paper |fl"3~l. where we provide the reduction semantics 
and a normalization process. 

Corollary 1 (Strong Normalization). For every local type Jzf in System-A, all sequences of reduction 
steps are finite and lead to the same normal form. 

In the extended version of this paper, we show that the aforementioned normalization process uniquely 
determines the reduction semantics, implying the uniqueness of normal forms. 

Checking structural equivalence of the types derived from the program against the projections is 
decidable up to a-conversion. However, all that is required to overcome this issue is that names in the 
code are consistent with those in the supplied global type. In our opinion it is reasonable to expect 
programmers to adhere to such a naming convention. 



7 Global Type Realization 

In this section, we discuss the properties that a given global type must satisfy in order to be projectable. 
These properties are discussed while assuming actor semantics [ 1] for the messaging system; that is, 
asynchronous, unordered and eventual (guaranteed, albeit with arbitrary delay) delivery of messages. 
Applying the projection function to a projectable global type will result in local types for the participants, 



whose combined behavior is consistent with the global type — a fact we show in Section 8 
The subsequent discussion of projectability criteria uses the following definitions: 

Definition 1 (Event). An event is a single interaction p\ — > pi in a global type. 

We extend the projection function onto events and write e > p to denote the projection of event e 
onto process p using rule (P-Interaction). 

Definition 2 (Trace). A trace is a sequence of events producible by a global type and is of the form 
e\\ei\ ... ;e\. The set of traces a global type can produce is denoted by tr(&). The first and last 
events of a trace t are denoted first (t) and last(t) respectively. Abusing notation, the set of events that 
appear first in traces of is denoted first (9?) = {first (t) \ t 6 tr(W)}. Similarly, the set of events that 
appear last in traces of is denoted last{^). 

Since a trace is simply a sequence of events of the form p — > q, we extend the projection function 
onto traces in the natural way. We write t > p to denote the projection of trace t onto process p using 
rules (P-Seq) and (P-Interaction). 



7.1 Sequentiality Criterion 

The purpose of this criterion is to ensure that the sequential constructs of a global type retain sequential 
semantics after projection. As an example problematic case, consider = a b ; c — \ d. Without 
the use of some covert coordination channel (for example by implementing a barrier mechanism), it 

ffl | Hl j 

is impossible for c to know when b has received the message. The two events a — > b and c — > d 
are impossible to order using our projection function, as the resulting environment would be Ai = {a : 
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b\m\, ft : a!m\, c : d\ni2, d : c?m 2 }, which allows c to send m 2 to d before a sends m\ to ft. <£\ does not 
satisfy the sequentiality criterion and thus is not projectable. 

Another problematic case is £f 2 = a b ; a ft, where a cannot know when my has been received 
so as to start transmitting mi, hence ^ 2 is not projectable either. The following definition captures the 
conditions under which events are guaranteed to respect the sequencing restrictions imposed in a global 
type, when the latter is projected onto individual processes. 

Definition 3 (Sequentially Projectable Global Type). The set of sequentially projectable (SP) global 
types is defined inductively as follows: 

Pi-^P2 £SP V/?i,/? 2 en 

M K m2 , r~ CD W r- TT 

pi — >P2,P2 — > P3 ^sp V/?i,/?2,.P3 e n 

(V«i G last {<S X ) , e 2 G (Sfc) => (gj ; g 2 ) G 5P) 5P 

(VeiG/^(^{l//}),e 2 G^(^{2//})^(e 1 ;e 2 )G5/ 5 ) ®%^SP 

i=l 

(V«i G last(&),e 2 £ first [e\ ; « 2 ) G SP) =► Sf n G SP 

k (V«i £last(^),e 2 £first(^)=^(ei ; e 2 ) G SP) =► Sf* G SP 

where IT denotes the set of processes. 

Illustrating the third case of the definition above, the following global type is in SP: 

cf = (a-^b\\c-^b);(b-^l\\b-^k) 

It is easy to see that last (^a - m -» ft || c bj = {a ft, c ft} and first (b I || ft 

= {ft — >■ Z, ft — > k\ so that all four sequences (e.g. a — > ft ; ft — > k) are in SP according to the first 
two lines of the definition above. 

7.2 Choice Criterion 

The purpose of this criterion is to ensure that projecting Sfi © ^ 2 maintains the choice semantics, meaning 
that all participants can recognize which branch of the choice operator they need to take during execution. 
As an example of a type that does not satisfy this criterion, consider 

= (a ft ; ft — c ; c d) © (a — ^> ft ; ft — ^> c ; c d) . 

Here, a and ft know which branch they are on, because on the left branch ft receives a message of type 
m\ from a, while on the branch on the right it receives a message of type ra 2 . However, from that point 
on, ft behaves identically with respect to c, which has no way of telling whether the message to send to d 
should be of type t\ or t 2 . We call the first point at which two traces differ with respect to a given process 
the distinctive point, which can be e if no such point exists. This notion is formalized in the following 
definition: 

Definition 4 (Distinctive Point). The distinctive point of a process p with respect to a pair of traces 
t\ = (ei,. . . G tr{&) and f 2 = (/1 ? - - - ;//) G tr{%?) is an index i given by 

d tut2 (p) = min{/ 1 (e t > p) ^ (f t > p)} 

where e/,/) denote events. In the case where t\ > = £, or ? 2 > /? = e, or ?i > p = t 2 > no such z 
exists and the distinctive point is defined to be e. 
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The definition that follows captures the conditions under which the choice semantics are maintained 
after projection. The first bullet deals with the non parameterized version of the choice operator ©. Item 
(i) captures the case where a process p is the first process acting on the two branches, in which case it 
must inform the others of the branch they are on. It does so by either sending a different message, or 
by sending to a different process in each case. Note that the same process must inform the others on 
both branches. Item (ii) captures the case where p is not the first process to act, in which case it must be 
informed of the branch it is on and the distinctive point should be a suitable receive event. 

Notice how the second bullet deals with shuffling by means of choice. Clearly, if a process can tell 
whether it is on Sfi or 9? 2 , it is also able to tell the order in which they appear. 

The third bullet inductively uses the previous two to define choice-wise projectability in the parame- 
terized cases of choice © and shuffle ©. 

Definition 5 (Choice-Wise Projectable Global Type). The set of Choice-Wise Projectable (CP) global 
types is defined inductively as follows: 

• = 5fi © ^2 G CP iff Vp G <S, either of the following is true: 

(i) <S = Sfi © ^ 2 and 
Vei G first (Sfi) , e 2 G first (<3 2 ) ■ e\=p q, e 2 = p q 

(ii) yt { = (s u . . . ,s kl ) £ tr(^) , t 2 = (u u . . . ,u k2 ) £ tr(^ 2 ) , 
either d tut2 (p) = e, or 

d h ,t 2 (p) = i and s t = q p, u t = q' p 

• eg = <g x eft € CP iff %@<g 2 £CP 

• <£ = ®%£CP iff m\/i} © ${2/i}) G CP 

i=l 

<S = ®%£CP iff (^{1/0 © ${2/i}) G CP 
i=l 

The criterion for parameterized shuffling (g) is stricter than what one can derive if the value of n is 

i=i 

given. However, it is hard to loosen up the constraint when it is dealt with as a parameter. 
7.3 Parallel Composability Criterion 

As an example of what can go wrong when composing two global types using the || operator, consider 
the example II a — > b. The intended behavior of is 

that a chooses whether to send a message of type m\ or m 2 to b, which in turn decides whether to send 
c a message of type k\ or k 2 . Concurrently with this, an additional m\ is sent from a to b. Assume that 
as far as © is concerned, a decides to send m 2 to b. It is then obvious how the additional parallel event 
a — > b might confuse b to simultaneously take both branches of the choice operator. 

In general, the problem appears when actions in one parallel branch affect choices made on another. 
Global types that do not exhibit this problem are parallel projectable (PP). 



where p^q and p^ q 
and (q^q'orm^ m) 



where p^q and p / q' 
and (qj^q'orm^ m') 
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Definition 6 (Parallel Projectable Global Types). For two global types <S\ and ^2, ^ = C S\ || ^2 is parallel 
projectable (PP) if there is no overlap between the distinctive points in ^\ and events in Formally, 

• Sf! || ^ 2 G PP iff V*i = 4 = ( e 'l>- • ->4) e fr (^i) > »2 G tr(9i) , p G n we have 
^i,t' = i an< i one °f tne following is true: 

(a) i = e 

(b) ej,e'j both have p as the sender 

(c) a t 2 and e'j t 2 

• i^-GPP iff mi/i}\\^{2/i})£PP 

i=l 

where IT denotes the set of processes. Notice how this definition incorporates parallel composability of 
two Kleene starred types (the Kleene Star entails a choice pertaining to loop entrance and exit). 

7.4 Kleene Star Criterion 

Use of the Kleene Star in global types can result in protocols whose projection is unsafe, that is, can result 
in execution traces that are not part of the original global type. To avoid this, a global type must be such 
that the entry and exit conditions to the starred type can be identified by all participants. Determining 
whether this is the case requires inspection of not only the starred type itself, but also of what comes 
after the starred section. 

Definition 7 (Kleene Star Projectable Global Types). For global types we say that ; W is 

Kleene Star Projectable (KP) iff Sf G CP. 

As an example of a type that is not in KP, consider & = (a b ; b c)* ;c d where c has 
no way of knowing whether it should wait for m' from b, or proceed immediately with sending d the 
message m" . 



8 Correctness 

The conditions discussed above are sufficient to ensure that the projection function generates local types 
which are functionally consistent with the global type. We call a global type that satisfies all of the above 
criteria projectable: 

Definition 8 (Projectable Global Type). The set of projectable (PR) global types is inductively defined 
in lTable 41 



Theorem 2 formalizes our intuition that under the constraints mentioned above, the projection func- 
tion is correct; that is, the projected environment is consistent with the global type. In what follows, 
tr(A) with A = {pi : J^^iei denotes the set of traces producible by environment A. Also, Ag? denotes the 
environment resulting from the projection of onto the set of processes, i.e. Ag? = {p : p} pen- 
Theorem 2. £PR^ tr(&) = tr(A*f) 

We sketch the proof of this theorem in the extended version of this paper lfT3l . where we inductively 



treat each of the cases in Table 4 What needs to be proved is essentially Vf G tr(@) <^t G tr(A<g). While 



the forward direction is rather obvious, proving that the projected environment does not generate traces 



that are not part of the original global type is trickier and is why we need the criteria of Section 7 

Proving this theorem, we get a correctness proof of our projection function (given the premises 
discussed previously) for free. 
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Table 4: The set PR 



£ GPP 
a^bePR 
<£ePR and Sf " G SP 
^,^e PP and (Sf t ;^ 2 )6SP 
^i,^e PP and (#j ^2) G CP 
S?i , ^2 € PP and (#j ® Sfc) G CP 
S?i , ^2 e PR and (#j || Sfc) € PP 
^1,^2 ePP and 





€SP 


PP 


and 


PP 


and 


PR 


and 


PR 


and 



ff* eSPHKP 



#1 ; Sfc) G PP 

#i e sf 2 ) g pp 

Sfi <8) Sfe) G PP 

Sfi || & 2 ) ePP 
Sfj* ; ^2) g PP 

®^GPP 
1=1 

\ G PP 



!=1 



1=1 



1=1 



1 G PP 



^ GPP 



9 Conclusions and Future Work 



We introduced System-A which allows for parameterized parallelism, where the number of participants, 
the types of messages sent, as well as the number of such messages are controlled by type parameters. 
Choice among various execution paths can also be parameterized, so that the number and types of differ- 
ent paths to be taken is not known at compile time. System-A also introduces a shuffling operator, which 
expresses arbitrary reordering of its arguments, again in a parameterized fashion. A series of examples 
demonstrates the usefulness of these extensions, which allow us to specify and check previously inex- 



pressible interactions such as the sliding window protocol and parallel resource locking/unlocking ( Sec 
tion 3|>. In System-A, we can statically verify — without instantiating the parameters — the compliance of 



implementations to protocols: we do this by first projecting (Section 5 1 the specification to parameterized 
types, and then comparing these projections against the types extracted from the program. An important 
result we obtain is that structural equivalence of types in System-A is decidable; we present this result 
in|Section~6|by first showing weak and subsequently strong normalization of local types. Unlike other 



typing proposals, System-A does not depend on other theories (typed A -calculus, system T, or system F) 
for type-checking. In|SectiorT7|we discuss the conditions under which our projection function is correct 



and state their sufficiency in Section 8 



Future Work. Complete type checking with System-A is only decidable up to type inference; we do 
not provide an algorithm for inference of suitable types in an actor language. The design of a pro- 
gramming language along with the relevant type inference algorithm is the next step towards a practical 
implementation. 

Another practical consideration includes semantic comparison of local types. Our normalization al- 
gorithm |[T3l already includes many cases of semantically equivalent, yet structurally differing types. 
Semantic comparison is unnecessary for the weak normalization proof, but would be useful in a prac- 
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tical setting where the user is interested in semantic adherence to a protocol. Specifically for the case 
where reordering of terms is possible as a result of operator commutativity, our suggested coding only 
serves as an existential proof. A more practical coding scheme could be developed, perhaps employing 
lexicographic ordering. 

Denielou et al. JT4] propose a system where parameterization is achieved by means of quantification 
over roles. Roles are behavior specifications that are taken up by processes while they participate in 
a protocol, and processes are allowed to join and leave protocols (respectively, adopt and drop roles) 
dynamically. Their notation's expressiveness is limited when it comes to arbitrary, concurrency-induced 
interleavings of events. Nevertheless, incorporating their ideas in System-A would greatly expand the 
applicability of the ideas presented here, towards a different direction than what is addressed in the 
present paper. 

Support for session delegation and exception handling (in the sense of Carbone et al. ifTOl ) repre- 
sents another opportunity for extension. Furthermore, it may be possible to transfer the recent, precise 
realizability results [4] for choreographies j33l to our parameterized specifications. 
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